Microsoft Cloud App Security (Defender for Cloud Apps) Licensing: The 2026 Buyer’s Guide

What MDCA actually does — the four pillars

Microsoft Defender for Cloud Apps is a CASB plus SaaS Security Posture Management (SSPM) product. It operates on four pillars: cloud discovery (ingesting firewall logs to map shadow IT usage across 31,000+ catalogued cloud apps), information protection (DLP policies applied to cloud-app content via API connectors to Box, Dropbox, ServiceNow, Salesforce, Workday, Google Workspace, and others), threat protection (anomaly detection and policy enforcement on cloud-app behaviour), and conditional access app control (in-session policy enforcement via Entra ID Conditional Access reverse-proxy). The fourth pillar is the differentiator against most third-party CASBs — it relies on the Entra ID identity surface and is the reason most enterprises buying into the Microsoft security stack consolidate onto MDCA.

The three licensing paths in 2026

• Standalone MDCA. $3.50/user/month. Available on EA, MPSA, CSP, and MCA-E. Useful when MDCA is the only Defender workload the customer wants.
• Microsoft 365 E5 Security add-on. $12/user/month on top of E3. Includes MDCA, MDI, MDO P2, MDE P2, and Entra ID P2. The natural home if two or more Defender workloads are in scope.
• Microsoft 365 E5 (full suite). $57/user/month. Includes everything in E5 Security plus Purview, Power BI Pro, Teams Premium components.

The free Cloud App Discovery tier shipping with Defender for Endpoint Plan 1 is sometimes proposed by the LSP as a substitute. It is not. The discovery tier covers shadow IT mapping only; the session control, conditional access app control, and information protection layers all require the paid SKU. Treat it as a useful complementary signal, not a replacement.

Breakeven against the à-la-carte stack

The breakeven for the E5 Security add-on against the à-la-carte stack lands at exactly four Defender products (the math flips between three and four products depending on the MDE plan in scope). Treat the breakeven thresholds as the negotiation anchor — not the standalone price.

Third-party CASB overlap — the displacement decision

Most large enterprises run a third-party CASB (Netskope, Zscaler ZIA / ZPA, Palo Alto Prisma Access, McAfee MVISION, Lookout) for cloud app visibility. Adding MDCA via E5 or E5 Security creates a displacement opportunity. The displacement decision turns on four questions: does the third-party product cover non-Microsoft identity surfaces (where MDCA leans on Entra ID), does the third-party product integrate with your secure web gateway and SD-WAN posture (where MDCA does not), what is the contractual exit window on the third-party agreement, and what is the SOC operating cost of running two CASBs in parallel during a migration.

The pattern we see: organisations with strong Entra ID dependency and Microsoft-centric identity displace third-party CASB to MDCA at the next CASB renewal. Organisations with material non-Microsoft identity (Okta as primary, federated identity, complex contractor populations) tend to retain the third-party CASB and use MDCA selectively for the Microsoft cloud-app coverage.

EA negotiation levers specific to MDCA

1. Standalone-to-bundle migration credit. Customers on standalone MDCA who consolidate into E5 Security should expect a credit for the unused tail of the standalone commitment. Ask in writing in the EA amendment.
2. API connector inventory. The MDCA value comes from API-connected SaaS coverage. Walk into the renewal with a documented list of the SaaS apps you intend to connect and benchmark against the third-party CASB’s coverage of the same list. Microsoft cannot defend the SKU against your inventory; the LSP cannot bluff against documented coverage.
3. Conditional Access App Control population. The CAAC reverse-proxy capability only covers users with Entra ID P1 minimum — usually P2 in mature deployments. Reconcile the licensed MDCA population against the Entra ID P1/P2 population at renewal. Mismatches are common.
4. Step-up from MDCA Discovery. Microsoft sometimes offers an upgrade-credit path from MDCA Discovery (free with MDE P1) to full MDCA. Capture this in the amendment.
5. Price protection. Lock the per-user MDCA price across the EA term with explicit anti-uplift language. The 2024 MDCA repricing caught buyers without protection by surprise.

Anonymised case study: $620K displacement saving

A 21,000-employee retail enterprise carried a 4-year Netskope contract at $1.4M annually and an EA proposal to add full-base MDCA via E5 Security add-on for the 16,000 Entra ID P1+ population. We modelled the displacement: the Netskope contract had a 14-month tail and a renewal window two months before the M365 EA renewal. We negotiated a 9-month parallel-run during which MDCA absorbed the SaaS coverage and the SOC migrated the policy set; Netskope was non-renewed at its anniversary. The E5 Security add-on cost $12/user/month for the 16,000 population ($2.3M annualised) but absorbed MDCA, MDI, MDO P2, MDE P2, and Entra P2 — replacing $1.4M of Netskope and $480K of standalone Defender stack. Net annualised security-stack cost reduction: $620K. The Entra ID P2 alignment also recovered $310K of Conditional Access licensing that had been over-provisioned.

Microsoft Cloud App Security — or Defender for Cloud Apps — is a CASB licensing decision with a Microsoft-bundle wrapper. Map the third-party overlap, walk into the renewal with a documented API-connector inventory, and use the breakeven thresholds as the negotiation anchor. Pair the analysis with the broader Defender XDR landscape and the 2026 EA tier-collapse context, and MDCA stops being a $3.50 add-on and starts behaving like the structural security decision it actually is.